azurermSentinelThreatIntelligenceIndicator
Manages a Sentinel Threat Intelligence Indicator.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "east us",
name: "example-rg",
}
);
const azurermLogAnalyticsWorkspaceExample =
new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
location: azurermResourceGroupExample.location,
name: "example-law",
resource_group_name: azurermResourceGroupExample.name,
retention_in_days: 30,
sku: "PerGB2018",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
this,
"example_3",
{
resource_group_name: azurermResourceGroupExample.name,
workspace_name: azurermLogAnalyticsWorkspaceExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
"example"
);
const azurermSentinelThreatIntelligenceIndicatorExample =
new azurerm.sentinelThreatIntelligenceIndicator.SentinelThreatIntelligenceIndicator(
this,
"example_4",
{
depends_on: [
"${azurerm_sentinel_log_analytics_workspace_onboarding.test}",
],
display_name: "example-indicator",
pattern: "http://example.com",
pattern_type: "domain-name",
source: "Microsoft Sentinel",
validate_from_utc: "2022-12-14T16:00:00Z",
workspace_id: azurermLogAnalyticsWorkspaceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelThreatIntelligenceIndicatorExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
displayName
- (Required) The display name of the Threat Intelligence Indicator. -
patternType
- (Required) The type of pattern used by the Threat Intelligence Indicator. Possible values aredomainName
,file
,ipv4Addr
,ipv6Addr
andurl
. -
pattern
- (Required) The pattern used by the Threat Intelligence Indicator. WhenpatternType
set tofile
,pattern
must be specified with<hashName>:<value>
format, such asmd5:78Ecc5C05Cd8B79Af480Df2F8Fba0B9D
. -
source
- (Required) Source of the Threat Intelligence Indicator. -
validateFromUtc
- (Required) The start of validate date in RFC3339. -
workspaceId
- (Required) The ID of the Log Analytics Workspace. Changing this forces a new Sentinel Threat Intelligence Indicator to be created.
-
confidence
- (Optional) Confidence levels of the Threat Intelligence Indicator. -
createdBy
- (Optional) The creator of the Threat Intelligence Indicator. -
description
- (Optional) The description of the Threat Intelligence Indicator. -
extension
- (Optional) The extension config of the Threat Intelligence Indicator in JSON format. -
externalReference
- (Optional) One or moreexternalReference
blocks as defined below. -
granularMarking
- (Optional) One or moregranularMarking
blocks as defined below. -
killChainPhase
- (Optional) One or morekillChainPhase
blocks as defined below. -
tags
- (Optional) Specifies a list of tags of the Threat Intelligence Indicator. -
language
- (Optional) The language of the Threat Intelligence Indicator. -
modifiedBy
- (Optional) The user or service principal who modified the Threat Intelligence Indicator. -
objectMarkingRefs
- (Optional) Specifies a list of Threat Intelligence marking references. -
patternVersion
- (Optional) The version of a Threat Intelligence entity. -
revoked
- (Optional) Whether the Threat Intelligence entity revoked. -
threatTypes
- (Optional) Specifies a list of threat types of this Threat Intelligence Indicator. -
validateUntilUtc
- (Optional) The end of validate date of the Threat Intelligence Indicator in RFC3339 format.
A externalReference
block supports the following:
-
description
- (Optional) The description of the external reference of the Threat Intelligence Indicator. -
hashes
- (Optional) The list of hashes of the external reference of the Threat Intelligence Indicator. -
sourceName
- (Optional) The source name of the external reference of the Threat Intelligence Indicator. -
url
- (Optional) The url of the external reference of the Threat Intelligence Indicator.
A granularMarking
block supports the following:
-
language
- (Optional) The language of granular marking of the Threat Intelligence Indicator. -
markingRef
- (Optional) The reference of the granular marking of the Threat Intelligence Indicator. -
selectors
- (Optional) A list of selectors of the granular marking of the Threat Intelligence Indicator.
A killChainPhase
block supports the following:
name
- (Optional) The name which should be used for the Lockheed Martin cyber kill chain phase.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the Sentinel Threat Intelligence Indicator. -
createdOn
- The date of this Threat Intelligence Indicator created. -
defanged
- Whether the Threat Intelligence entity is defanged? -
externalId
- The external ID of the Threat Intelligence Indicator. -
externalLastUpdatedTimeUtc
- the External last updated time in UTC. -
indicatorTypes
- A list of indicator types of this Threat Intelligence Indicator. -
lastUpdatedTimeUtc
- The last updated time of the Threat Intelligence Indicator in UTC. -
guid
- The guid of this Sentinel Threat Intelligence Indicator. -
parsedPattern
- AparsedPattern
block as defined below.
A parsedPattern
block exports the following:
-
patternTypeKey
- The type key of parsed pattern. -
patternTypeValues
- ApatternTypeValues
block as defined below.
A patternTypeValues
block exports the following:
-
value
- The value of the parsed pattern type. -
valueType
- The type of the value of the parsed pattern type value.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Sentinel Threat Intelligence Indicator.read
- (Defaults to 5 minutes) Used when retrieving the Sentinel Threat Intelligence Indicator.update
- (Defaults to 30 minutes) Used when updating the Sentinel Threat Intelligence Indicator.delete
- (Defaults to 30 minutes) Used when deleting the Sentinel Threat Intelligence Indicator.
Import
Sentinel Threat Intelligence Indicators can be imported using the resourceId
, e.g.